157

I created a service that is bound by other applications through AIDL, and I add it to the manifest as follows:

<service android:name=".MyService">
    <intent-filter>
        <action android:name="org.example.android.myservicedemo.IService" />
    </intent-filter>
</service>

where IService is the AIDL interface.

In this way, Eclipse show me the warning Exported service does not require permission. If I remove the intent-filter, the warning disappear, but obviously the applications are unable to bind to the service.

What does this warning mean?

enzom83
  • 8,080
  • 10
  • 68
  • 114
  • 36
    It means that other (arbitrary) applications the user has on his phone can bind to your `Service` and call whatever method they please that is exposed through your AIDL interface. – Jens May 06 '12 at 22:12
  • 25
    create a new [](http://developer.android.com/guide/topics/manifest/permission-element.html) in your AndroidManifest.xml and use the name of that as the `android:permission` attribute of your `` declaration. Or just ignore the warning - what is the service intended to do? If you are fine with keeping the service "internal" it's much easier just to set `android:exported="false"` on your `` – Jens May 06 '12 at 22:31
  • @Jens: It is a service that can be bound by external applications. – enzom83 May 06 '12 at 22:34
  • 3
    Then either ignore the warning or add a , use "signature" if they're all your own applications signed with the same certificate or just go with "normal" otherwise. – Jens May 06 '12 at 22:39
  • @Jens: I'm just using "normal". In order to use "signature", should I create a certificate? – enzom83 May 06 '12 at 22:55
  • 3
    You're already using a (release) certificate to sign your applications - the signature protection checks that the application requesting the permission is same-signed as the application that defined the permission. – Jens May 07 '12 at 06:36
  • 2
    @Jens Thanks...it helped me.... btw you can add your comments as answer. Let enzom83 accept it. – Vijay C Jun 15 '12 at 11:46
  • 1
    But what about Receivers? A receiver that listens for PACKAGE_ADDED broadcasts should declare which permission to be required? The broadcast is sent by the system and setting android:exported=false would not allow the receiver to listen for system broadcasts... I don't think that the Lint warning doesn't make much sense. – denis Jun 29 '12 at 13:22
  • see http://stackoverflow.com/questions/11462936/exported-activity-does-not-require-permission-when-attempting-to-launch-from-a/11526028#11526028 (possible duplicate) – Shine Jul 25 '12 at 13:56
  • 1
    Well, what if I don't *care* that other applications can access my service? What if I want to export it to everybody? – Edward Falk Nov 02 '12 at 23:38

3 Answers3

135

I had the same issue when I updated SDK to version 20. I removed it adding android:exported property android:exported="false" like so:

<service android:name=".MyService"
    android:exported="false">
    <intent-filter>
        <action android:name="org.example.android.myservicedemo.IService" />
    </intent-filter>
</service>

See this doc

Nate
  • 12,963
  • 4
  • 59
  • 80
Nam Vu
  • 5,669
  • 7
  • 58
  • 90
62

If you want to restrict you activity usage to your own application, then you should add exported=false to your activity's manifest statement.

If you want to allow other applications to use it (explicitly through its class name or, better, by using an intent with a data type or action) then you have two choices :

  • restrict those applications by using a permission
  • allow all applications to use it, then you can add tools:ignore="ExportedActivity" to your activity's manifest statement.

--

Same reasonning applies to a service, with tools:ignore="ExportedService" and content providers with tools:ignore="ExportedContentProvider".

Snicolas
  • 37,840
  • 15
  • 114
  • 173
  • 8
    This worked for me, thanks!! However, notice that this requires to *add* a xmlns declaration at the top of the manifest file: `xmlns:tools="http://schemas.android.com/tools"` – Luis A. Florit Nov 13 '12 at 23:02
  • Thanks, its added automatically by Eclipse. That's a nice complement for other IDEs users. – Snicolas Nov 14 '12 at 13:14
  • I use Eclipse 4.2.1, and it doesn't add it, giving an error (at least with the default config?). It just says: `The prefix "tools" for attribute "tools:ignore" associated with an element type "activity" is not bound`, and no choices are given for fixing this. – Luis A. Florit Nov 14 '12 at 13:52
  • It will add it if you remove your tools:foo=bar statement, then when there is an error / warning, right click and use a quick fix to add the tools statement. – Snicolas Nov 14 '12 at 14:12
  • This is what I meant: eclipse gives no quick fix for this error. – Luis A. Florit Nov 14 '12 at 20:59
  • @Snicolas Your answer should be the accepted answer, damnit! It would have saved me some time, since I looked over so many different answers for this. This is perfect, but I would highly recommend including the part about adding `xmlns:tools="http://schemas.android.com/tools"` as Eclipse would not add this for me, either. It was a pain to figure out. Also, I'm a little stupid, but I didn't know it was literally `tools:ignore="ExportedActivity"`, so I tried putting in my `Activity`s identifier. Oops! ;) Anyways, thanks! – RileyE Feb 01 '13 at 16:25
  • Can you please point me to the correct direction to "restrict those applications by using a permission"? – ericn Nov 27 '14 at 01:54
  • 1
    Special case is the SyncService, which should be exported but you only want the system to use it. For SyncService or AuthenticatorService add android:permission="signature" – Entreco Aug 13 '15 at 12:19
4

As Jens said, "It means that other (arbitrary) applications the user has on his phone can bind to your Service and call whatever method they please that is exposed through your AIDL interface."

Community
  • 1
  • 1
JD.
  • 3,005
  • 2
  • 26
  • 37